* New upstream release (LP: #535029).

  - After a transition period of about 10 years, this release disables SSH
    protocol 1 by default.  Clients and servers that need to use the
    legacy protocol must explicitly enable it in ssh_config / sshd_config
    or on the command-line.
  - Remove the libsectok/OpenSC-based smartcard code and add support for
    PKCS#11 tokens.  This support is enabled by default in the Debian
    packaging, since it now doesn't involve additional library
    dependencies (closes: #231472, LP: #16918).
  - Add support for certificate authentication of users and hosts using a
    new, minimal OpenSSH certificate format (closes: #482806).
  - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
  - Add the ability to revoke keys in sshd(8) and ssh(1).  (For the Debian
    package, this overlaps with the key blacklisting facility added in
    openssh 1:4.7p1-9, but with different file formats and slightly
    different scopes; for the moment, I've roughly merged the two.)
  - Various multiplexing improvements, including support for requesting
    port-forwardings via the multiplex protocol (closes: #360151).
  - Allow setting an explicit umask on the sftp-server(8) commandline to
    override whatever default the user has (closes: #496843).
  - Many sftp client improvements, including tab-completion, more options,
    and recursive transfer support for get/put (LP: #33378).  The old
    mget/mput commands never worked properly and have been removed
    (closes: #270399, #428082).
  - Do not prompt for a passphrase if we fail to open a keyfile, and log
    the reason why the open failed to debug (closes: #431538).
  - Prevent sftp from crashing when given a "-" without a command.  Also,
    allow whitespace to follow a "-" (closes: #531561).

1 files changed, 98 insertions, 50 deletions

diff --git a/auth.c b/auth.c
index 68370ca94..54f4548f1 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.80 2008/11/04 07:58:09 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.86 2010/03/05 02:58:11 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -70,6 +70,7 @@
 #ifdef GSSAPI
 #include "ssh-gss.h"
 #endif
+#include "authfile.h"
 #include "monitor_wrap.h"
 
 /* import */
@@ -96,7 +97,6 @@ allowed_user(struct passwd * pw)
 {
         struct stat st;
         const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
-        char *shell;
         u_int i;
 #ifdef USE_SHADOW
         struct spwd *spw = NULL;
@@ -154,22 +154,28 @@ allowed_user(struct passwd * pw)
         }
 
         /*
-         * Get the shell from the password data.  An empty shell field is
-         * legal, and means /bin/sh.
+         * Deny if shell does not exist or is not executable unless we
+         * are chrooting.
          */
-        shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
-
-        /* deny if shell does not exists or is not executable */
-        if (stat(shell, &st) != 0) {
-                logit("User %.100s not allowed because shell %.100s does not exist",
-                    pw->pw_name, shell);
-                return 0;
-        }
-        if (S_ISREG(st.st_mode) == 0 ||
-            (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
-                logit("User %.100s not allowed because shell %.100s is not executable",
-                    pw->pw_name, shell);
-                return 0;
+        if (options.chroot_directory == NULL ||
+            strcasecmp(options.chroot_directory, "none") == 0) {
+                char *shell = xstrdup((pw->pw_shell[0] == '\0') ?
+                    _PATH_BSHELL : pw->pw_shell); /* empty = /bin/sh */
+
+                if (stat(shell, &st) != 0) {
+                        logit("User %.100s not allowed because shell %.100s "
+                            "does not exist", pw->pw_name, shell);
+                        xfree(shell);
+                        return 0;
+                }
+                if (S_ISREG(st.st_mode) == 0 ||
+                    (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
+                        logit("User %.100s not allowed because shell %.100s "
+                            "is not executable", pw->pw_name, shell);
+                        xfree(shell);
+                        return 0;
+                }
+                xfree(shell);
         }
 
         if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
@@ -399,38 +405,6 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
         return host_status;
 }
 
-int
-reject_blacklisted_key(Key *key, int hostkey)
-{
-        char *fp;
-
-        if (blacklisted_key(key, &fp) != 1)
-                return 0;
-
-        if (options.permit_blacklisted_keys) {
-                if (hostkey)
-                        error("Host key %s blacklisted (see "
-                            "ssh-vulnkey(1)); continuing anyway", fp);
-                else
-                        logit("Public key %s from %s blacklisted (see "
-                            "ssh-vulnkey(1)); continuing anyway",
-                            fp, get_remote_ipaddr());
-                xfree(fp);
-        } else {
-                if (hostkey)
-                        error("Host key %s blacklisted (see "
-                            "ssh-vulnkey(1))", fp);
-                else
-                        logit("Public key %s from %s blacklisted (see "
-                            "ssh-vulnkey(1))",
-                            fp, get_remote_ipaddr());
-                xfree(fp);
-                return 1;
-        }
-
-        return 0;
-}
-
 
 /*
  * Check a given file for security. This is defined as all components
@@ -488,7 +462,7 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
                         return -1;
                 }
 
-                /* If are passed the homedir then we can stop */
+                /* If are past the homedir then we can stop */
                 if (comparehome && strcmp(homedir, buf) == 0) {
                         debug3("secure_filename: terminating check at '%s'",
                             buf);
@@ -562,7 +536,28 @@ getpwnamallow(const char *user)
         parse_server_match_config(&options, user,
             get_canonical_hostname(options.use_dns), get_remote_ipaddr());
 
+#if defined(_AIX) && defined(HAVE_SETAUTHDB)
+        aix_setauthdb(user);
+#endif
+
         pw = getpwnam(user);
+
+#if defined(_AIX) && defined(HAVE_SETAUTHDB)
+        aix_restoreauthdb();
+#endif
+#ifdef HAVE_CYGWIN
+        /*
+         * Windows usernames are case-insensitive.  To avoid later problems
+         * when trying to match the username, the user is only allowed to
+         * login if the username is given in the same case as stored in the
+         * user database.
+         */
+        if (pw != NULL && strcmp(user, pw->pw_name) != 0) {
+                logit("Login name %.100s does not match stored username %.100s",
+                    user, pw->pw_name);
+                pw = NULL;
+        }
+#endif
         if (pw == NULL) {
                 logit("Invalid user %.100s from %.100s",
                     user, get_remote_ipaddr());
@@ -597,6 +592,59 @@ getpwnamallow(const char *user)
         return (NULL);
 }
 
+/* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
+int
+auth_key_is_revoked(Key *key, int hostkey)
+{
+        char *key_fp;
+
+        if (blacklisted_key(key, &key_fp) == 1) {
+                if (options.permit_blacklisted_keys) {
+                        if (hostkey)
+                                error("Host key %s blacklisted (see "
+                                    "ssh-vulnkey(1)); continuing anyway",
+                                    key_fp);
+                        else
+                                logit("Public key %s from %s blacklisted (see "
+                                    "ssh-vulnkey(1)); continuing anyway",
+                                    key_fp, get_remote_ipaddr());
+                        xfree(key_fp);
+                } else {
+                        if (hostkey)
+                                error("Host key %s blacklisted (see "
+                                    "ssh-vulnkey(1))", key_fp);
+                        else
+                                logit("Public key %s from %s blacklisted (see "
+                                    "ssh-vulnkey(1))",
+                                    key_fp, get_remote_ipaddr());
+                        xfree(key_fp);
+                        return 1;
+                }
+        }
+
+        if (options.revoked_keys_file == NULL)
+                return 0;
+
+        switch (key_in_file(key, options.revoked_keys_file, 0)) {
+        case 0:
+                /* key not revoked */
+                return 0;
+        case -1:
+                /* Error opening revoked_keys_file: refuse all keys */
+                error("Revoked keys file is unreadable: refusing public key "
+                    "authentication");
+                return 1;
+        case 1:
+                /* Key revoked */
+                key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+                error("WARNING: authentication attempt with a revoked "
+                    "%s key %s ", key_type(key), key_fp);
+                xfree(key_fp);
+                return 1;
+        }
+        fatal("key_in_file returned junk");
+}
+
 void
 auth_debug_add(const char *fmt,...)
 {